In this Help Net Security interview, Wayman Cummings, CISO at Ochsner Health, talks about building a healthcare cybersecurity strategy, even when resources are tight. He explains how focusing on areas like vulnerability management and network segmentation can make the biggest difference.
Cummings also shares how balancing investments across people, processes, and technology can strengthen both resilience and patient trust.
When building a healthcare cybersecurity strategy, where should leaders start, especially if resources are limited?
Senior leaders should anchor their cybersecurity strategy in foundational controls that deliver high impact with manageable investment. Key pillars include vulnerability management and network segmentation. Even with constrained budgets, these two areas offer returns on risk reduction.
For vulnerability management, leaders should prioritize patching systems with known exposures. Focus on assets that can be remediated quickly to reduce the attack surface and mitigate risks.
With network segmentation, the goal is to restrict lateral movement across systems. This limits the blast radius of any breach and strengthens overall resilience.
Additionally, cultivating a culture of cybersecurity awareness across your organization is essential. In fact, cybersecurity awareness might be one of the most important and cost-effective pillars. With targeted education and training your teams will be better prepared to recognize threats.
How do you recommend healthcare organizations prioritize investments across people, processes, and technology?
Healthcare organizations should align cybersecurity investments with the protection of their most valuable assets: people and data.
We as leaders in security have to safeguard our workforce and our patient populations. We should invest in user-centric security controls such as MFA, passwordless access, and anti-phishing technologies. These not only reduce risk but also improve operational efficiency.
When it comes to data management, I recommend that organizations should move from basic segmentation to micro-segmentation, which isolates workloads and applications. This granular approach will ensure that even if one segment is compromised, the threat is further contained and impact minimized.
How can healthcare providers gain greater visibility into their supply chain without overburdening their teams?
Healthcare providers need vendors to take a more active role in cybersecurity. We need to require vendors to maintain current patch levels, and work towards migration to current operating systems, especially for legacy systems that are still prevalent in healthcare environments.
When it comes to API integrations, only essential data should be exchanged. This reduces exposure and simplifies compliance. I would recommend that healthcare organizations conduct an API audit to ensure the minimum data necessary is being exchanged.
Finally, we must establish expectations for the data governance process. There has to be collaboration in governance for cybersecurity transparency and accountability across vendor relationships. This shifts the burden from internal teams to a shared responsibility.
What does a well-prepared incident response plan look like for a healthcare organization, especially when patient safety is at stake? How can they test and refine their incident response plans without disrupting daily operations?
A mature incident response plan should prioritize continuity of care and rapid recovery.
There are four buckets to an incident response plan. They are: detection, containment, mitigation, and restoration.
The first thing that has to happen is the identification of anomalies or breaches. Once those breaches are identified, you moved to containment. The goal is immediate isolation of affected systems to prevent spread.
This is why network segmentation and micro-segmentation of data are so important to a cybersecurity strategy.
Once the threat is contained, you want to mitigate the damage and take swift action to neutralize additional threats. Finally, there is the restoration process. This is the focused recovery of systems critical to patient safety and clinical operations.
Incident response plans should be tested and challenged regularly. Testing should be conducted via tabletop exercises and simulations, allowing teams to rehearse scenarios without disrupting live environments, similar to emergency drills used in clinical and military settings.
What changes do you anticipate in the regulatory landscape over the next few years, especially around data privacy and AI?
Over the next few years, healthcare leaders should prepare for a more prescriptive and expansive regulatory landscape. I anticipate there will be greater HIPAA enforcement. We can expect tighter compliance requirements and increased scrutiny and a rush of AI regulation. Emerging frameworks will address ethical use of AI, rules around data privacy, and algorithmic transparency, especially in clinical decision support and diagnostics.
We’re watching the Cybersecurity Act of 2025. If enacted, this legislation will mandate enhanced cybersecurity controls across healthcare entities, which is important, and a good thing. We can also anticipate sector-specific guidance from NIST, reflecting the industry’s elevated risk profile and unique operational challenges. Proactive engagement with these evolving standards will be essential to maintaining compliance and trust.
